Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-20-2024
11:43 PM
Thanks @gcusello @PickleRick for all the replies and tips and hints. It has been very helpful. In the end, I went with 1 data model with segregation done using source filtering. Still fiddling ...
See more...
Thanks @gcusello @PickleRick for all the replies and tips and hints. It has been very helpful. In the end, I went with 1 data model with segregation done using source filtering. Still fiddling with adding fields into data model but I am sure it will be a nice addition like to have extra info like indexes into the data model fields or during indexing. I wish I can mark both as solutions, but since I can only accept one, I will select Rick's as the reply gave the Eureka moment in which a single model doesn't impact the security roles (index selection) and subsequently made me switch to the single data model. But all in all, all the replies have made me learnt a lot. A big thank you.
03-20-2024
11:36 PM
1 Karma
Hi @pubuduhashan, if you're speaking of permit different access to a dashboard or to an index to different roles , it's possible managing the grants to the single knwledge objects (dashboards, even...
See more...
Hi @pubuduhashan, if you're speaking of permit different access to a dashboard or to an index to different roles , it's possible managing the grants to the single knwledge objects (dashboards, eventtypes, etc...). If you want to give limited access to some fields extracted from the raw data in en index, you can give different grants to the field extractions but anyway the users with that role continue to have access to the raw data in the index and it isn't possible to restrict access to a part of an index because grants are managed for the full index. In this case, you should copy only the information for the restricted roles in a different summary index (you don't pay additional license for this) and use this data for the restricted roles, but it's long to implement. Ciao. Giuseppe
03-20-2024
11:25 PM
1 Karma
Hi @anandhalagaras1,please try this: [your_sourcetype]
SEDCMD = s/password: ([^;]+);cpassword: ([^;]+);/password: (####);cpassword: (####);/gm that you can test at https://regex101.com/r/ppaFZc/1 ...
See more...
Hi @anandhalagaras1,please try this: [your_sourcetype]
SEDCMD = s/password: ([^;]+);cpassword: ([^;]+);/password: (####);cpassword: (####);/gm that you can test at https://regex101.com/r/ppaFZc/1 Ciao. Giuseppe
03-20-2024
11:17 PM
Hi @debjit_k , are you speaking of Splunk Support priority or Priority in ES Correlation searches? if Splunk Support, you define the Priority of your Cases when you oprn them. If you're speaking o...
See more...
Hi @debjit_k , are you speaking of Splunk Support priority or Priority in ES Correlation searches? if Splunk Support, you define the Priority of your Cases when you oprn them. If you're speaking of Priority in ES Correlation Searches, it's assigned to the associated assets or identities and with the Severity of the Correlation Search it determines the Urgency of a Notable. Ciao. Giuseppe
03-20-2024
11:14 PM
Hi Team, Want to mask two of the fields "password" and "cpassword" from the events which are getting written with the plain text information. So needs to be changed as #####. Sample event informati...
See more...
Hi Team, Want to mask two of the fields "password" and "cpassword" from the events which are getting written with the plain text information. So needs to be changed as #####. Sample event information: [2024-01-31_07:58:28] INFO : REQUEST: User:abc CreateUser POST: name: AB_Test_Max;email: xyz@gmail.com;password: abc12345679;cpassword: abc12345679;role: User; [2024-01-30_14:05:42] INFO : REQUEST: User:xyz CreateUser POST: name: Math_Lab;email: abc@yahoo.com;password: xyzab54;cpassword: xyzab54;role: Admin; So kindly help with the props.conf so that i can apply with SEDCMD-mask.
Labels
- Labels:
-
encryption
03-20-2024
10:52 PM
Hi All, Just wanted to know we have splunk ES and we use servicenow to triggered alert now my question is if there are few alert which I want to give Priority as P2 how can I do it in splunk as s...
See more...
Hi All, Just wanted to know we have splunk ES and we use servicenow to triggered alert now my question is if there are few alert which I want to give Priority as P2 how can I do it in splunk as splunk by default priority is P3.
03-20-2024
10:27 PM
When you say "in another application" what do you mean The predict command can be used to predict future trends https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Predict ...
See more...
When you say "in another application" what do you mean The predict command can be used to predict future trends https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Predict
03-20-2024
10:23 PM
Try this - use your index and I assume that the event _time stamp is the login time. index=bla userID=text123 earliest=-5m@m latest=@m
| stats dc(ip) as ips by userID
| where ips>1 If your events c...
See more...
Try this - use your index and I assume that the event _time stamp is the login time. index=bla userID=text123 earliest=-5m@m latest=@m
| stats dc(ip) as ips by userID
| where ips>1 If your events contain other info than just login details, then you may need to add login_time=* to the search
03-20-2024
08:39 PM
Hello everyone, i need solution for this. my data : userID=text123 , login_time="2024-03-21 08:04:42.201000", ip_addr=12.3.3.21 userID=text123, login_time="2024-03-21 08:00:00.001000", ip_addr=1...
See more...
Hello everyone, i need solution for this. my data : userID=text123 , login_time="2024-03-21 08:04:42.201000", ip_addr=12.3.3.21 userID=text123, login_time="2024-03-21 08:00:00.001000", ip_addr=12.3.3.45 userID=text123, login_time="2024-03-21 08:02:12.201000", ip_addr=12.3.3.21 userID=text123, login_time="2024-03-21 07:02:42.201000", ip_addr=12.3.3.34 i want get data, userID="text123 " AND in the last 5 minutes AND if mutiple ip i used join,map,append but not solved.please help for SPL this
Labels
- Labels:
-
join
03-20-2024
08:23 PM
HI Could you please share some image for the below request
03-20-2024
08:19 PM
Hello How to set time range from dropdown in Dashboard Studio? For example: Drop down: (Kindergarten, Elementary, Middle School, High School) If select "Kindergarten" ==> time range ...
See more...
Hello How to set time range from dropdown in Dashboard Studio? For example: Drop down: (Kindergarten, Elementary, Middle School, High School) If select "Kindergarten" ==> time range => Last 24 hour If select "Elementary" ==> time range => Last 3 day If select "Middle School" ==> time range => Last 7 day If select "High School" ==> time range => Last 30 day Thank you so much
Labels
- Labels:
-
Dashboard Studio
-
drilldown
-
token
03-20-2024
08:02 PM
Hi All Anyone can confirm is there any prebuilt dashboard available for SAP - customer data cloud. If no pre-built dashboard, then how would i like to pull all the logs from the SAP system to mo...
See more...
Hi All Anyone can confirm is there any prebuilt dashboard available for SAP - customer data cloud. If no pre-built dashboard, then how would i like to pull all the logs from the SAP system to monitor infrastructure metrics in splunk dashboard Note - Currently i have enabled all the logs are sent via connector, however i cant see end point logs
Labels
- Labels:
-
configuration
-
using Splunk Cloud
03-20-2024
07:05 PM
@marnall @Not really, it’s like if I’m running the search for last 24 hrs, I’d like to see the data for now()+1d.
03-20-2024
05:59 PM
Find out what the current time is then compare to you window times:
| eval timeNow = strftime(now(), "%H%M")
| where (timeNow < 2350 AND timeNow > 0015) ```Outside of main. window```
03-20-2024
05:09 PM
1 Karma
There is no one API that will return all of the KOs owned by a given user. You will have to combine multiple API results to get the full list. | rest /services/saved/searches ``` Searches, reports,...
See more...
There is no one API that will return all of the KOs owned by a given user. You will have to combine multiple API results to get the full list. | rest /services/saved/searches ``` Searches, reports, alerts ```
| rest /services/data/ui/views ``` Dashboards ```
| rest /services/data/macros ``` Macros ```
| rest /services/data/lookup-table-files ``` Lookup files ```
| rest /services/saved/eventtypes ``` Eventtypes ``` Those are some of the more common ones. See other available API endpoints using | rest /services/data or | rest /services/saved
03-20-2024
05:04 PM
Yes,I noticed that as well. I see the event count before the eventstats removes the fields that are over my 'where count' statement limit. I'm searching back 15 minutes and only have a few hundred ev...
See more...
Yes,I noticed that as well. I see the event count before the eventstats removes the fields that are over my 'where count' statement limit. I'm searching back 15 minutes and only have a few hundred events based on my geolocation and other criteria before the eventstats. But a few hundred is too many for a single person to weed through, looking for legit user activity when there are a few hundred non-legit user events. Thanks for the information.
03-20-2024
04:58 PM
Either the data in the summary index is incorrect or it's being used incorrectly. Was the data written using an si* (sistats, sichart, sitimechart, etc.) command? If so, then it must be read using ...
See more...
Either the data in the summary index is incorrect or it's being used incorrectly. Was the data written using an si* (sistats, sichart, sitimechart, etc.) command? If so, then it must be read using the same query and the non-si (stats, chart, timechart, etc.) command. Tell more about the two queries and we may be able to be more specific.
03-20-2024
04:48 PM
So, mvexpand may work, but it depends on how you got into this position to begin with. What's the query?
03-20-2024
04:34 PM
As I was going through the Asset and Identity Management manual, I couldn't see anything related to how to enrich the two lookup files assets_by_cidr.csv and assets_by_str.csv. For some reason (I cou...
See more...
As I was going through the Asset and Identity Management manual, I couldn't see anything related to how to enrich the two lookup files assets_by_cidr.csv and assets_by_str.csv. For some reason (I couldn't figure out why), the assets_by_str.csv is filled with data and is populating data when running any search. However, nothing is getting fetched to assets_by_cidr.csv, I'm not sure if this is supposed to be filled automatically? and I can't find any configuration that associates where these two CSVs are taking the data from... I can only see that they're coming from the app SA-IdentityManagement, can someone please help in troubleshooting this? Where are these two lookup table expected to get the data from and how? Lastly, to give more context, the final purpose it to fulfill the request of data enrichment for this specific use case Detect Large Outbound ICMP Packets...
03-20-2024
04:20 PM
Well - I always have problem with clear explanation, sorry about it. So look at the graph below It is exactly what I need . One "series" - bars is a count for each uniqe value >> timechart cou...
See more...
Well - I always have problem with clear explanation, sorry about it. So look at the graph below It is exactly what I need . One "series" - bars is a count for each uniqe value >> timechart count by kmethod Second series , black line, just a simple sum or average function >> timechart sum(kmethod)
